diff --git a/pom.xml b/pom.xml
index 2333af1..8c81233 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,7 +10,7 @@
 
     <groupId>org.openconext</groupId>
     <artifactId>tiqr-java-connector</artifactId>
-    <version>2.0.1</version>
+    <version>2.0.2</version>
     <name>tiqr-java-connector</name>
 
     <dependencies>
diff --git a/src/main/java/tiqr/org/DefaultTiqrService.java b/src/main/java/tiqr/org/DefaultTiqrService.java
index 1a5be85..d33b821 100644
--- a/src/main/java/tiqr/org/DefaultTiqrService.java
+++ b/src/main/java/tiqr/org/DefaultTiqrService.java
@@ -18,6 +18,7 @@
 import java.time.Instant;
 import java.util.List;
 import java.util.Optional;
+import java.util.UUID;
 
 public class DefaultTiqrService implements TiqrService {
 
@@ -81,7 +82,8 @@ public MetaData getMetaData(String enrollmentKey) throws TiqrException {
 
         LOG.debug("Get metadata for enrollment for user " + enrollment.getUserID());
 
-        enrollmentRepository.save(enrollment);
+        enrollment.setRegistrationId(UUID.randomUUID().toString());
+        enrollment = enrollmentRepository.save(enrollment);
         return new MetaData(Service.addEnrollmentSecret(this.service, enrollmentSecret), new Identity(enrollment));
     }
 
@@ -104,6 +106,8 @@ public Registration enrollData(Registration registration) throws TiqrException {
         Instant now = Instant.now();
         registration.setCreated(now);
         registration.setUpdated(now);
+        registration.setId(enrollment.getRegistrationId());
+        registration.setUsePrimaryIdentifier(true);
 
         Registration savedRegistration = registrationRepository.save(registration);
 
@@ -145,7 +149,7 @@ public Authentication startAuthentication(String userId, String userDisplayName,
         String challenge = Challenge.generateQH10Challenge();
         String authenticationUrl = String.format("%s/tiqrauth/?u=%s&s=%s&q=%s&i=%s&v=%s",
                 eduIdAppBaseUrl,
-                encode(userId),
+                encode(registration.isUsePrimaryIdentifier() ? registration.getId() : userId),
                 encode(sessionKey),
                 encode(challenge),
                 encode(this.service.getIdentifier()),
diff --git a/src/main/java/tiqr/org/model/Enrollment.java b/src/main/java/tiqr/org/model/Enrollment.java
index b3cfc86..0dd4777 100644
--- a/src/main/java/tiqr/org/model/Enrollment.java
+++ b/src/main/java/tiqr/org/model/Enrollment.java
@@ -23,6 +23,7 @@ public class Enrollment implements Serializable {
     private String userID;
     private String userDisplayName;
     private EnrollmentStatus status;
+    private String registrationId;
     private Instant created;
     private Instant updated;
 
diff --git a/src/main/java/tiqr/org/model/Identity.java b/src/main/java/tiqr/org/model/Identity.java
index 01db2be..e41a0ac 100644
--- a/src/main/java/tiqr/org/model/Identity.java
+++ b/src/main/java/tiqr/org/model/Identity.java
@@ -13,7 +13,7 @@ public class Identity {
     private String displayName;
 
     public Identity(Enrollment enrollment) {
-        this.identifier = enrollment.getUserID();
+        this.identifier = enrollment.getRegistrationId();
         this.displayName = enrollment.getUserDisplayName();
     }
 }
diff --git a/src/main/java/tiqr/org/model/Registration.java b/src/main/java/tiqr/org/model/Registration.java
index 7cea4ba..a3ff7b4 100644
--- a/src/main/java/tiqr/org/model/Registration.java
+++ b/src/main/java/tiqr/org/model/Registration.java
@@ -28,6 +28,7 @@ public class Registration implements Serializable {
     private RegistrationStatus status;
     private Instant created;
     private Instant updated;
+    private boolean usePrimaryIdentifier;
 
     public void validateForInitialEnrollment() {
         validateForPushNotification();
diff --git a/src/test/java/tiqr/org/TiqrServiceTest.java b/src/test/java/tiqr/org/TiqrServiceTest.java
index 536c906..13b4a79 100644
--- a/src/test/java/tiqr/org/TiqrServiceTest.java
+++ b/src/test/java/tiqr/org/TiqrServiceTest.java
@@ -73,6 +73,7 @@ void enrollmentScenario() throws TiqrException {
         assertNotNull(enrollmentSecret);
 
         assertEquals(EnrollmentStatus.RETRIEVED, tiqrService.enrollmentStatus(enrollment.getKey()).getStatus());
+        assertEquals(metaData.getIdentity().getIdentifier(), enrollment.getRegistrationId());
 
         when(enrollmentRepository.save(any(Enrollment.class))).thenAnswer(i -> i.getArguments()[0]);
         when(registrationRepository.save(any(Registration.class))).thenAnswer(i -> i.getArguments()[0]);
@@ -80,6 +81,7 @@ void enrollmentScenario() throws TiqrException {
 
         Registration registration = getRegistration(enrollmentSecret);
         Registration result = tiqrService.enrollData(registration);
+        assertEquals(metaData.getIdentity().getIdentifier(), registration.getId());
 
         SecretCipher cipher = new SecretCipher("secret");
         assertEquals(result.getSecret(), cipher.encrypt(sharedSecret));